The below blog is one we've mentioned before and it remains a refreshing read. Rather than terrify us all into submission, the Information Commissioner's Offices seems to be positioning GDPR as an evolution that we work towards, rather than an axe falling on our heads (or necks - surely to do the job properly it would be our necks?).
What's interesting here is that almost every seminar, webinar and event I've attended on GDPR seems to be banging the 72 hour 'report of a breach' drum with such fervour that fear is inevitable. Indeed it's often said that failure to do so will mean your business will be closed down and some form of mediaeval punishment delivered. At the very least you should expect to find your head on a pole outside the Tower of London. Or something...
However, the ICO seem to be taking a softer line. It looks like common sense, rather than fear, driving the fines and consequences when it comes to the GDPR.
This is a good thing and while it doesn't mean we should be complacent, it does allow us to be human.
Myth #6 All details need to be provided as soon as a personal data breach occurs. Fact: Under the GDPR there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it. Organisations will have to provide certain details when reporting, but the GDPR says that where the organisation doesn’t have all the details available, more can be provided later. The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident – but we will want to know the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem.